Forbid access to php into “wp-content”.

Posted on by Ivan

I expected in few articles an advice to disable direct access to php scripts into “/wp-content/uploads” i done small research and observed, than .php placed into “/wp-content” and into subdirs was newer directly accessed thru web. So i just completely disabled direct access to php scripts placed into that dir and subdirs. Looks more securely.

PS
I made mistake. At least tiny-mce php scripts must be accessible thru web. So i just convertĀ  this rules that touch ‘/wp-include’ for nginx:

location ~* /wp-includes {
	location ~* /wp-includes/[^/]+\.php$ {
		deny all;
	}
	location ~* /wp-includes/js/tinymce/langs/.+\.php$ {
		deny all;
	}
	location ~* /wp-includes/theme-compat {
		deny all;
	}
	location ~ /wp-includes/.+\.php$ {
		include php_wordpress_handler;
	}
}

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>